Last week, a new and comprehensive WAF pentest was published, comparing Incapsula’s WAF to CloudFlare’s new Rule-based WAF, the analysis can be downloaded here.

The effort was made by Zero Science Lab, who also conducted the last penetration test comparison back in February this year. Zero Science Lab decided to run a “Round 2” penetration test after CloudFlare announced the launch of a new Rule-based WAF in August.

Excerpts from Zero Science Lab’s Conclusion:

“From the results tables, we can see that Incapsula's WAF continues to have an advantage over CloudFlare's WAF. We should also mention that only Incapsula's WAF is PCI-Certified, which is an advantage for certain types of online businesses.

While CloudFlare's new WAF solution showed substantial improvement since the first penetration test, it still does not provide the comprehensive level of security against certain types of web application attacks (e.g., SQL injection, Remote File Inclusion) that many online businesses today require.

We noticed the high block ratio of XSS attacks, but from all the types of attacks, main focus was on Cross-Site Scripting. The SQL Injection, Local and Remote File Inclusion, and Remote Code/Command Execution attacks had very low detection rate by the CloudFlare WAF.

Incapsula, on the other hand, has shown consistent security performance in both tests, with a high block ratio and few false-positives.”

It was also great to see that our the Incapsula fingerprinting engine triumphed:

"What’s also important to note is that Incapsula can recognize an ongoing attack and block attacker's session. We specifically noticed this during the test using automated tools such as ZAP and Burp. Their blocking mechanism seems to be based on recognizing the fingerprint of the tool being used, so even if you try to trick it by changing the default User-Agent or manipulating other header fields, the WAF will still block your session. We didn't notice such mechanism on CloudFlare's WAF. CloudFlare blocks a session only if an attacker tries to manipulate and send invalid headers"

Our Followup

We have worked through the findings of this report, and patched and adapted to the tests that originally went through. The Incapsula cloud WAF now stops all vectors specified.